CVE-2024-47177
published 2024-09-26CVE-2024-47177: Informational: No Impact of CUPS Vulnerabilities on Palo Alto Networks Products The Palo Alto Networks Product Security Assurance team has evaluated…
medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EXPLOIT
Informational: No Impact of CUPS Vulnerabilities on Palo Alto Networks Products
The Palo Alto Networks Product Security Assurance team has evaluated CVE-2024-47076, CVE-2024-47177, CVE-2024-47175, and CVE-2024-47176 in the Common UNIX Printing System (CUPS) as they relate to our products.
Based on current information, Palo Alto Networks products and cloud services do not contain affected CUPS-related software packages and are not impacted by these issues.
Affected products: Cloud NGFW, Cortex XDR, Cortex XDR Agent, Cortex XSIAM, Cortex XSOAR, GlobalProtect App, PAN-OS, Prisma Access, Prisma Browser, Prisma Cloud, Prisma Cloud Compute, Prisma SD-WAN
Solution: No software updates are required at this time.
Workaround: Customers who decide to block CUPS traffic can create a Security policy rule (Policies > Security) that targets the "cups" application. Refer to the information about creating Security policy rules: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/security-policy/create-a-security-policy-rule
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | cups-filters | < cups-filters 1.28.17-3+deb12u1 (bookworm) | cups-filters 1.28.17-3+deb12u1 (bookworm) |
| chrome_chrome | — | — | |
| linuxfoundation | cups-filters | >= 0 < 1.28.7-1+deb11u3 | 1.28.7-1+deb11u3 |
| linuxfoundation | cups-filters | >= 0 < 1.28.17-3+deb12u1 | 1.28.17-3+deb12u1 |
| linuxfoundation | cups-filters | >= 0 < 1.28.17-5 | 1.28.17-5 |
| linuxfoundation | cups-filters | >= 0 < 1.28.17-5 | 1.28.17-5 |
| openprinting | cups | < 2.4.13 | 2.4.13 |
| openprinting | cups-browsed | — | — |
| paloalto | cloud_ngfw | — | — |
| paloalto | cortex_xdr | — | — |
| paloalto | cortex_xdr_agent | — | — |
| paloalto | cortex_xsiam | — | — |
| paloalto | cortex_xsoar | — | — |
| paloalto | globalprotect_app | — | — |
| paloalto | pan-os | — | — |
| paloalto | prisma_access | — | — |
| paloalto | prisma_browser | — | — |
| paloalto | prisma_cloud | — | — |
| paloalto | prisma_cloud_compute | — | — |
| paloalto | prisma_sd-wan | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
osv8.6HIGH
vendor_debian8.6HIGH
vendor_redhat8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Chrome
Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2024-47177
vendor_chrome·2024-10-29·CVSS 8.6
CVE-2024-47177 [HIGH] Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2024-47177
Stable Channel Update for ChromeOS / ChromeOS Flex
CVE-2024-47177
Palo Alto
Informational: No Impact of CUPS Vulnerabilities on Palo Alto Networks Products
vendor_paloalto·2024-09-26·CVSS 8.6
CVE-2024-47076 [HIGH] CWE-78 Informational: No Impact of CUPS Vulnerabilities on Palo Alto Networks Products
Informational: No Impact of CUPS Vulnerabilities on Palo Alto Networks Products
The Palo Alto Networks Product Security Assurance team has evaluated CVE-2024-47076, CVE-2024-47177, CVE-2024-47175, and CVE-2024-47176 in the Common UNIX Printing System (CUPS) as they relate to our products.
Based on current information, Palo Alto Networks products and cloud services do not contain affected CUPS-related software packages and are not impacted by these issues.
Affected products: Cloud NGFW, Cortex XDR, Cortex XDR Agent, Cortex XSIAM, Cortex XSOAR, GlobalProtect App, PAN-OS, Prisma Access, Prisma Browser, Prisma Cloud, Prisma Cloud Compute, Prisma SD-WAN
Solution: No software updates are required at this time.
Workaround: Customers who decide to block CUPS traffic can create a Security poli
Red Hat
cups-browsed: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source
vendor_redhat·2024-09-26·CVSS 8.6
CVE-2024-47176 [HIGH] CWE-940 cups-browsed: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source
cups-browsed: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
A security issue has been identified in OpenPrinting CUPS.
The function ppdCreatePPDFromIPP2
Debian
CVE-2024-47176: cups-filters - CUPS is a standards-based, open-source printing system, and `cups-browsed` conta...
vendor_debian·2024·CVSS 8.6
CVE-2024-47176 [HIGH] CVE-2024-47176: cups-filters - CUPS is a standards-based, open-source printing system, and `cups-browsed` conta...
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
Scope: local
bookworm: resolved (fixed in 1.28.17-3+deb12u1)
bullseye: resolved (fixed in 1.28.7-1+deb11u3)
forky: resolved (fixed in 1.28.17-5)
sid: resolved (fixed in 1.28.17-5)
trixie
OSV
CVE-2024-47176: CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto
osv·2024-09-26·CVSS 8.6
CVE-2024-47176 [HIGH] CVE-2024-47176: CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
Suricata
ET INFO Observed Server Responding with PDD File With Known Dangerous/Exploitable Parameter
suricata·2024-09-26
CVE-2024-47177 ET INFO Observed Server Responding with PDD File With Known Dangerous/Exploitable Parameter
ET INFO Observed Server Responding with PDD File With Known Dangerous/Exploitable Parameter
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Observed Server Responding with PDD File With Known Dangerous/Exploitable Parameter"; flow:established,to_client; http.response_body; content:"|0a|*FoomaticRIPCommandLine|3a|"; reference:cve,2024-47177; classtype:misc-activity; sid:2056213; rev:1; metadata:created_at 2024_09_26, cve CVE_2024_47177, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_09_26;)
Elastic
Network Connection by Cups or Foomatic-rip Child
elastic_rules·CVSS 8.6
CVE-2024-47176 [HIGH] Network Connection by Cups or Foomatic-rip Child
Network Connection by Cups or Foomatic-rip Child
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176,
CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects network connections initiated by a
child processes of foomatic-rip. These flaws impact components like cups-browsed, libcupsfilters, libppd, and
foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted
UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.
Query:
sequence by host.id with maxspan=10s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.parent.name == "foomatic-rip"
Elastic
Suspicious Execution from Foomatic-rip or Cupsd Parent
elastic_rules·CVSS 8.6
CVE-2024-47176 [HIGH] Suspicious Execution from Foomatic-rip or Cupsd Parent
Suspicious Execution from Foomatic-rip or Cupsd Parent
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176,
CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects suspicious process command lines
executed by child processes of foomatic-rip and cupsd. These flaws impact components like cups-browsed, libcupsfilters,
libppd, and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data
through crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is
initiated.
Query:
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
process
Elastic
Cupsd or Foomatic-rip Shell Execution
elastic_rules·CVSS 8.6
CVE-2024-47176 [HIGH] Cupsd or Foomatic-rip Shell Execution
Cupsd or Foomatic-rip Shell Execution
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176,
CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects shell executions from the
foomatic-rip parent process. These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip,
allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or
network spoofing. This can result in arbitrary command execution when a print job is initiated.
Query:
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.parent.name == "foomatic-rip" and
process.name in
Elastic
File Creation by Cups or Foomatic-rip Child
elastic_rules·CVSS 8.6
CVE-2024-47176 [HIGH] File Creation by Cups or Foomatic-rip Child
File Creation by Cups or Foomatic-rip Child
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176,
CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects suspicious file creation events
executed by child processes of foomatic-rip. These flaws impact components like cups-browsed, libcupsfilters, libppd,
and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through
crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.
Query:
sequence by host.id with maxspan=10s
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and
process.parent.name ==
Elastic
Printer User (lp) Shell Execution
elastic_rules·CVSS 8.6
CVE-2024-47176 [HIGH] Printer User (lp) Shell Execution
Printer User (lp) Shell Execution
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176,
CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects shell executions from the foomatic-rip
parent process through the default printer user (lp). These flaws impact components like cups-browsed, libcupsfilters,
libppd, and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data
through crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is
initiated.
Query:
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "ProcessRollup2", "ProcessRollup2") and user.name == "
Securelist
Exploits and vulnerabilities in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Exploits and vulnerabilities in Q3 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most prevalent exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
CVE-2024-47177 (CUPS filters)
CVE-2024-38112 (MSHTML Spoofing)
CVE-2024-6387 (regreSSHion)
CVE-2024-3183 (Free IPA)
CVE-2024-45519 (Zimbra)
CVE-2024-5290 (Ubuntu wpa_supplicant)
Conclusion and advice
Authors
Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Co
Securelist
Analyzing the vulnerability landscape in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Analyzing the vulnerability landscape in Q3 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- CVE-2024-47177 (CUPS filters)
- CVE-2024-38112 (MSHTML Spoofing)
- CVE-2024-6387 (regreSSHion)
- CVE-2024-3183 (Free IPA)
- CVE-2024-45519 (Zimbra)
- CVE-2024-5290 (Ubuntu wpa_supplicant)
- Conclusion and advice
Authors
- Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Common Log Filing System (CLFS) in Windows, so the number
Wiz
Crying Out Cloud - October 2024 Newsletter | Wiz
blogs_wiz·2024-10-01·CVSS 9.0
CVE-2024-0132 [CRITICAL] Crying Out Cloud - October 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks!
## 🔍 Highlights
Critical Vulnerability in NVIDIA Container Toolkit
Wiz Research uncovered a critical vulnerability, CVE-2024-0132, in the widely used NVIDIA Container Toolkit. The vulnerability allows attackers with control over a container image to escape the container and gain full access to the underlying host. It is strongly recommended to update the affected package to the latest version 1.16.2, while focusing on container hosts that might run untrusted container images.
According to Wiz data, 33% of cloud environments are impacted by CVE-2024-0132.
Learn more in our blog .
## 🐞 High Profile Vulnerab
Wiz
OpenPrinting CUPS Vulnerabilities: Analysis of related CVEs | Wiz Blog
blogs_wiz·2024-09-29·CVSS 8.6
CVE-2024-47176 [HIGH] OpenPrinting CUPS Vulnerabilities: Analysis of related CVEs | Wiz Blog
The security researcher Simone Margaritelli ( evilsocket ), disclosed details of several vulnerabilities impacting CUPS and IPP packages: CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. These vulnerabilities are unlikely to be exploited in most cloud environments due to their requirements for exposing UDP port 631 and needing the victim to attempt a print request as part of the currently disclosed exploitation method.
The vulnerabilities received CVSS base scores ranging from 8.0 to 9.0. It is recommended to mitigate these vulnerabilities and apply patches.
## What are these vulnerabilities?
A remote, unauthenticated attacker can replace existing printers with a malicious one or add a new printer under their control, leading to arbitrary command execution when a prin
Wiz
OpenPrinting CUPS Vulnerabilities: Analysis of related CVEs | Wiz Blog
blogs_wiz·2024-09-29·CVSS 8.6
CVE-2024-47076 [HIGH] OpenPrinting CUPS Vulnerabilities: Analysis of related CVEs | Wiz Blog
The security researcher Simone Margaritelli (evilsocket), disclosed details of several vulnerabilities impacting CUPS and IPP packages: CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. These vulnerabilities are unlikely to be exploited in most cloud environments due to their requirements for exposing UDP port 631 and needing the victim to attempt a print request as part of the currently disclosed exploitation method.
The vulnerabilities received CVSS base scores ranging from 8.0 to 9.0. It is recommended to mitigate these vulnerabilities and apply patches.
# What are these vulnerabilities?
A remote, unauthenticated attacker can replace existing printers with a malicious one or add a new printer under their control, leading to arbitrary command execution when a print j
Elastic
Cups Overflow: When your printer spills more than Ink — Elastic Security Labs
blogs_elastic·2024-09-28·CVSS 6.8
[MEDIUM] Cups Overflow: When your printer spills more than Ink — Elastic Security Labs
28 September 2024•Mika Ayenson, PhD•Terrance DeJesus•Eric Forte•Ruben Groenewoud
# Cups Overflow: When your printer spills more than Ink
Elastic Security Labs discusses detection and mitigation strategies for vulnerabilities in the CUPS printing system, which allow unauthenticated attackers to exploit the system via IPP and mDNS, resulting in remote code execution (RCE) on UNIX-based systems such as Linux, macOS, BSDs, ChromeOS, and Solaris.
9 min readDetection Engineering, Product Updates
## Update October 2, 2024
The following packages introduced out-of-the-box (OOTB) rules to detect the exploitation of these vulnerabilities. Please check your "Prebuilt Security Detection Rules" integration versions or visit the Downloadable rule updates site.
- Stack Version 8.15 - Package Version
Elastic
Cups Overflow: When your printer spills more than Ink — Elastic Security Labs
blogs_elastic·2024-09-28
Cups Overflow: When your printer spills more than Ink — Elastic Security Labs
## Cups Overflow: When your printer spills more than Ink
Elastic Security Labs discusses detection and mitigation strategies for vulnerabilities in the CUPS printing system, which allow unauthenticated attackers to exploit the system via IPP and mDNS, resulting in remote code execution (RCE) on UNIX-based systems such as Linux, macOS, BSDs, ChromeOS, and Solaris.
## Update October 2, 2024
The following packages introduced out-of-the-box (OOTB) rules to detect the exploitation of these vulnerabilities. Please check your "Prebuilt Security Detection Rules" integration versions or visit the Downloadable rule updates site.
Stack Version 8.15 - Package Version 8.15.6+
Stack Version 8.14 - Package Version 8.14.12+
Stack Version 8.13 - Package Version 8.13.18+
Stack Version 8.12 - Package
Qualys
Unauthenticated RCE in CUPS: Critical Printing System Flaws
blogs_qualys·2024-09-26·CVSS 8.6
[HIGH] Unauthenticated RCE in CUPS: Critical Printing System Flaws
## Table of Contents
What Is CUPS?
CUPS Printing System Vulnerabilities
How to Fix CUPS Vulnerabilities:
Why These CUPS Printing Flaws Are a Serious Threat
Recommended Security Measures for Enterprises to mitigate RCE vulnerability
How Qualys Helps Detect and Fix CUPS Vulnerabilities
Conclusion
Next Steps to Secure Your CUPS Printing System
FAQ:
A critical set of unauthenticated Remote Code Execution (RCE) vulnerabilities in CUPS, affecting all GNU/Linux systems and potentially others, was disclosed today. These vulnerabilities allow a remote attacker to execute arbitrary code on a target system without valid credentials or prior access. Major organizations like Canonical and Red Hat have confirmed this flaw, assigning it a high severity with a CVSS score of 9.9 out of 10.
Based
Tenable
CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities
blogs_tenable·2024-09-26·CVSS 8.6
[HIGH] CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
CUPS RCE Vulnerabilities: Patch Critical Flaws | Qualys
blogs_qualys·2024-09-26·CVSS 8.6
[HIGH] CUPS RCE Vulnerabilities: Patch Critical Flaws | Qualys
#### Table of Contents
- What Is CUPS?
- CUPS Printing System Vulnerabilities
- How to Fix CUPS Vulnerabilities:
- Why These CUPS Printing Flaws Are a Serious Threat
- Recommended Security Measures for Enterprises to mitigate RCE vulnerability
- How Qualys Helps Detect and Fix CUPS Vulnerabilities
- Conclusion
- Next Steps to Secure Your CUPS Printing System
- FAQ:
A critical set of unauthenticated Remote Code Execution (RCE) vulnerabilities in CUPS, affecting all GNU/Linux systems and potentially others, was disclosed today. These vulnerabilities allow a remote attacker to execute arbitrary code on a target system without valid credentials or prior access. Major organizations like Canonical and Red Hat have confirmed this flaw, assigning it a high severity with a CVSS score of 9.9 out o
Bugzilla
CVE-2024-47177 cups-filters: foomatic: foomatic-rip in cups-filters allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter
bugzilla·2024-09-23·CVSS 8.6
CVE-2024-47177 [HIGH] CVE-2024-47177 cups-filters: foomatic: foomatic-rip in cups-filters allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter
CVE-2024-47177 cups-filters: foomatic: foomatic-rip in cups-filters allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter
A security flaw was found in OpenPrinting CUPS. A remote attacker may be able to exploit cups-filters via the `FoomaticRIPCommandLine` entry in the PPD file, which would trigger the CUPS system to execute any arbitrary commands injected into that file when a print job is sent to the affected device.
2024-09-26
Published